Ensure invitees are not returned in Members API

Signed-off-by: Rémy Coutable <remy@rymai.me>
This commit is contained in:
Rémy Coutable 2016-09-15 18:34:57 +02:00
parent 7afee665b0
commit d8dd1c1940
5 changed files with 25 additions and 17 deletions

View file

@ -12,6 +12,7 @@ v 8.12.0 (unreleased)
- Update gitlab shell secret file also when it is empty. !3774 (glensc)
- Give project selection dropdowns responsive width, make non-wrapping.
- Make push events have equal vertical spacing.
- API: Ensure invitees are not returned in Members API.
- Add two-factor recovery endpoint to internal API !5510
- Pass the "Remember me" value to the U2F authentication form
- Remove vendor prefixes for linear-gradient CSS (ClemMakesApps)

View file

@ -20,7 +20,7 @@ module API
access_requesters = paginate(source.requesters.includes(:user))
present access_requesters.map(&:user), with: Entities::AccessRequester, access_requesters: access_requesters
present access_requesters.map(&:user), with: Entities::AccessRequester, source: source
end
# Request access to the group/project

View file

@ -104,18 +104,18 @@ module API
class Member < UserBasic
expose :access_level do |user, options|
member = options[:member] || options[:members].find { |m| m.user_id == user.id }
member = options[:member] || options[:source].members.find_by(user_id: user.id)
member.access_level
end
expose :expires_at do |user, options|
member = options[:member] || options[:members].find { |m| m.user_id == user.id }
member = options[:member] || options[:source].members.find_by(user_id: user.id)
member.expires_at
end
end
class AccessRequester < UserBasic
expose :requested_at do |user, options|
access_requester = options[:access_requester] || options[:access_requesters].find { |m| m.user_id == user.id }
access_requester = options[:access_requester] || options[:source].requesters.find_by(user_id: user.id)
access_requester.requested_at
end
end

View file

@ -18,11 +18,11 @@ module API
get ":id/members" do
source = find_source(source_type, params[:id])
members = source.members.includes(:user)
members = members.joins(:user).merge(User.search(params[:query])) if params[:query]
members = paginate(members)
users = source.users
users = users.merge(User.search(params[:query])) if params[:query]
users = paginate(users)
present members.map(&:user), with: Entities::Member, members: members
present users, with: Entities::Member, source: source
end
# Get a group/project member

View file

@ -30,20 +30,27 @@ describe API::Members, api: true do
let(:route) { get api("/#{source_type.pluralize}/#{source.id}/members", stranger) }
end
context 'when authenticated as a non-member' do
%i[access_requester stranger].each do |type|
context "as a #{type}" do
it 'returns 200' do
user = public_send(type)
get api("/#{source_type.pluralize}/#{source.id}/members", user)
%i[master developer access_requester stranger].each do |type|
context "when authenticated as a #{type}" do
it 'returns 200' do
user = public_send(type)
get api("/#{source_type.pluralize}/#{source.id}/members", user)
expect(response).to have_http_status(200)
expect(json_response.size).to eq(2)
end
expect(response).to have_http_status(200)
expect(json_response.size).to eq(2)
end
end
end
it 'does not return invitees' do
invitee = create(:"#{source_type}_member", invite_token: '123', invite_email: 'test@abc.com', source: source, user: nil)
get api("/#{source_type.pluralize}/#{source.id}/members", developer)
expect(response).to have_http_status(200)
expect(json_response.size).to eq(2)
end
it 'finds members with query string' do
get api("/#{source_type.pluralize}/#{source.id}/members", developer), query: master.username